1 // SPDX-License-Identifier: GPL-2.0-only
2 /* Copyright(c) 2020 Intel Corporation. All rights reserved. */
3 #include <uapi/linux/cxl_mem.h>
4 #include <linux/security.h>
5 #include <linux/debugfs.h>
6 #include <linux/module.h>
7 #include <linux/sizes.h>
8 #include <linux/mutex.h>
9 #include <linux/list.h>
10 #include <linux/cdev.h>
11 #include <linux/idr.h>
12 #include <linux/pci.h>
14 #include <linux/io-64-nonatomic-lo-hi.h>
22 * This implements the PCI exclusive functionality for a CXL device as it is
23 * defined by the Compute Express Link specification. CXL devices may surface
24 * certain functionality even if it isn't CXL enabled.
26 * The driver has several responsibilities, mainly:
27 * - Create the memX device and register on the CXL bus.
28 * - Enumerate device's register interface and map them.
29 * - Probe the device attributes to establish sysfs interface.
30 * - Provide an IOCTL interface to userspace to communicate with the device for
31 * things like firmware update.
34 #define cxl_doorbell_busy(cxlm) \
35 (readl((cxlm)->regs.mbox + CXLDEV_MBOX_CTRL_OFFSET) & \
36 CXLDEV_MBOX_CTRL_DOORBELL)
38 /* CXL 2.0 - 8.2.8.4 */
39 #define CXL_MAILBOX_TIMEOUT_MS (2 * HZ)
42 CXL_MBOX_OP_INVALID = 0x0000,
43 CXL_MBOX_OP_RAW = CXL_MBOX_OP_INVALID,
44 CXL_MBOX_OP_GET_FW_INFO = 0x0200,
45 CXL_MBOX_OP_ACTIVATE_FW = 0x0202,
46 CXL_MBOX_OP_GET_SUPPORTED_LOGS = 0x0400,
47 CXL_MBOX_OP_GET_LOG = 0x0401,
48 CXL_MBOX_OP_IDENTIFY = 0x4000,
49 CXL_MBOX_OP_GET_PARTITION_INFO = 0x4100,
50 CXL_MBOX_OP_SET_PARTITION_INFO = 0x4101,
51 CXL_MBOX_OP_GET_LSA = 0x4102,
52 CXL_MBOX_OP_SET_LSA = 0x4103,
53 CXL_MBOX_OP_GET_HEALTH_INFO = 0x4200,
54 CXL_MBOX_OP_GET_ALERT_CONFIG = 0x4201,
55 CXL_MBOX_OP_SET_ALERT_CONFIG = 0x4202,
56 CXL_MBOX_OP_GET_SHUTDOWN_STATE = 0x4203,
57 CXL_MBOX_OP_SET_SHUTDOWN_STATE = 0x4204,
58 CXL_MBOX_OP_GET_POISON = 0x4300,
59 CXL_MBOX_OP_INJECT_POISON = 0x4301,
60 CXL_MBOX_OP_CLEAR_POISON = 0x4302,
61 CXL_MBOX_OP_GET_SCAN_MEDIA_CAPS = 0x4303,
62 CXL_MBOX_OP_SCAN_MEDIA = 0x4304,
63 CXL_MBOX_OP_GET_SCAN_MEDIA = 0x4305,
64 CXL_MBOX_OP_MAX = 0x10000
68 * struct mbox_cmd - A command to be submitted to hardware.
69 * @opcode: (input) The command set and command submitted to hardware.
70 * @payload_in: (input) Pointer to the input payload.
71 * @payload_out: (output) Pointer to the output payload. Must be allocated by
73 * @size_in: (input) Number of bytes to load from @payload_in.
74 * @size_out: (input) Max number of bytes loaded into @payload_out.
75 * (output) Number of bytes generated by the device. For fixed size
76 * outputs commands this is always expected to be deterministic. For
77 * variable sized output commands, it tells the exact number of bytes
79 * @return_code: (output) Error code returned from hardware.
81 * This is the primary mechanism used to send commands to the hardware.
82 * All the fields except @payload_* correspond exactly to the fields described in
83 * Command Register section of the CXL 2.0 8.2.8.4.5. @payload_in and
84 * @payload_out are written to, and read from the Command Payload Registers
85 * defined in CXL 2.0 8.2.8.4.8.
94 #define CXL_MBOX_SUCCESS 0
97 static DECLARE_RWSEM(cxl_memdev_rwsem);
98 static struct dentry *cxl_debugfs;
99 static bool cxl_raw_allow_all;
106 /* See CXL 2.0 Table 170. Get Log Input Payload */
107 static const uuid_t log_uuid[] = {
108 [CEL_UUID] = UUID_INIT(0xda9c0b5, 0xbf41, 0x4b78, 0x8f, 0x79, 0x96,
109 0xb1, 0x62, 0x3b, 0x3f, 0x17),
110 [VENDOR_DEBUG_UUID] = UUID_INIT(0xe1819d9, 0x11a9, 0x400c, 0x81, 0x1f,
111 0xd6, 0x07, 0x19, 0x40, 0x3d, 0x86),
115 * struct cxl_mem_command - Driver representation of a memory device command
116 * @info: Command information as it exists for the UAPI
117 * @opcode: The actual bits used for the mailbox protocol
118 * @flags: Set of flags effecting driver behavior.
120 * * %CXL_CMD_FLAG_FORCE_ENABLE: In cases of error, commands with this flag
121 * will be enabled by the driver regardless of what hardware may have
124 * The cxl_mem_command is the driver's internal representation of commands that
125 * are supported by the driver. Some of these commands may not be supported by
126 * the hardware. The driver will use @info to validate the fields passed in by
127 * the user then submit the @opcode to the hardware.
129 * See struct cxl_command_info.
131 struct cxl_mem_command {
132 struct cxl_command_info info;
135 #define CXL_CMD_FLAG_NONE 0
136 #define CXL_CMD_FLAG_FORCE_ENABLE BIT(0)
139 #define CXL_CMD(_id, sin, sout, _flags) \
140 [CXL_MEM_COMMAND_ID_##_id] = { \
142 .id = CXL_MEM_COMMAND_ID_##_id, \
146 .opcode = CXL_MBOX_OP_##_id, \
151 * This table defines the supported mailbox commands for the driver. This table
152 * is made up of a UAPI structure. Non-negative values as parameters in the
153 * table will be validated against the user's input. For example, if size_in is
154 * 0, and the user passed in 1, it is an error.
156 static struct cxl_mem_command mem_commands[CXL_MEM_COMMAND_ID_MAX] = {
157 CXL_CMD(IDENTIFY, 0, 0x43, CXL_CMD_FLAG_FORCE_ENABLE),
158 #ifdef CONFIG_CXL_MEM_RAW_COMMANDS
159 CXL_CMD(RAW, ~0, ~0, 0),
161 CXL_CMD(GET_SUPPORTED_LOGS, 0, ~0, CXL_CMD_FLAG_FORCE_ENABLE),
162 CXL_CMD(GET_FW_INFO, 0, 0x50, 0),
163 CXL_CMD(GET_PARTITION_INFO, 0, 0x20, 0),
164 CXL_CMD(GET_LSA, 0x8, ~0, 0),
165 CXL_CMD(GET_HEALTH_INFO, 0, 0x12, 0),
166 CXL_CMD(GET_LOG, 0x18, ~0, CXL_CMD_FLAG_FORCE_ENABLE),
167 CXL_CMD(SET_PARTITION_INFO, 0x0a, 0, 0),
168 CXL_CMD(SET_LSA, ~0, 0, 0),
169 CXL_CMD(GET_ALERT_CONFIG, 0, 0x10, 0),
170 CXL_CMD(SET_ALERT_CONFIG, 0xc, 0, 0),
171 CXL_CMD(GET_SHUTDOWN_STATE, 0, 0x1, 0),
172 CXL_CMD(SET_SHUTDOWN_STATE, 0x1, 0, 0),
173 CXL_CMD(GET_POISON, 0x10, ~0, 0),
174 CXL_CMD(INJECT_POISON, 0x8, 0, 0),
175 CXL_CMD(CLEAR_POISON, 0x48, 0, 0),
176 CXL_CMD(GET_SCAN_MEDIA_CAPS, 0x10, 0x4, 0),
177 CXL_CMD(SCAN_MEDIA, 0x11, 0, 0),
178 CXL_CMD(GET_SCAN_MEDIA, 0, ~0, 0),
182 * Commands that RAW doesn't permit. The rationale for each:
184 * CXL_MBOX_OP_ACTIVATE_FW: Firmware activation requires adjustment /
185 * coordination of transaction timeout values at the root bridge level.
187 * CXL_MBOX_OP_SET_PARTITION_INFO: The device memory map may change live
188 * and needs to be coordinated with HDM updates.
190 * CXL_MBOX_OP_SET_LSA: The label storage area may be cached by the
191 * driver and any writes from userspace invalidates those contents.
193 * CXL_MBOX_OP_SET_SHUTDOWN_STATE: Set shutdown state assumes no writes
194 * to the device after it is marked clean, userspace can not make that
197 * CXL_MBOX_OP_[GET_]SCAN_MEDIA: The kernel provides a native error list that
198 * is kept up to date with patrol notifications and error management.
200 static u16 cxl_disabled_raw_commands[] = {
201 CXL_MBOX_OP_ACTIVATE_FW,
202 CXL_MBOX_OP_SET_PARTITION_INFO,
204 CXL_MBOX_OP_SET_SHUTDOWN_STATE,
205 CXL_MBOX_OP_SCAN_MEDIA,
206 CXL_MBOX_OP_GET_SCAN_MEDIA,
210 * Command sets that RAW doesn't permit. All opcodes in this set are
211 * disabled because they pass plain text security payloads over the
212 * user/kernel boundary. This functionality is intended to be wrapped
213 * behind the keys ABI which allows for encrypted payloads in the UAPI
215 static u8 security_command_sets[] = {
217 0x45, /* Persistent Memory Data-at-rest Security */
218 0x46, /* Security Passthrough */
221 #define cxl_for_each_cmd(cmd) \
222 for ((cmd) = &mem_commands[0]; \
223 ((cmd) - mem_commands) < ARRAY_SIZE(mem_commands); (cmd)++)
225 #define cxl_cmd_count ARRAY_SIZE(mem_commands)
227 static int cxl_mem_wait_for_doorbell(struct cxl_mem *cxlm)
229 const unsigned long start = jiffies;
230 unsigned long end = start;
232 while (cxl_doorbell_busy(cxlm)) {
235 if (time_after(end, start + CXL_MAILBOX_TIMEOUT_MS)) {
236 /* Check again in case preempted before timeout test */
237 if (!cxl_doorbell_busy(cxlm))
244 dev_dbg(&cxlm->pdev->dev, "Doorbell wait took %dms",
245 jiffies_to_msecs(end) - jiffies_to_msecs(start));
249 static bool cxl_is_security_command(u16 opcode)
253 for (i = 0; i < ARRAY_SIZE(security_command_sets); i++)
254 if (security_command_sets[i] == (opcode >> 8))
259 static void cxl_mem_mbox_timeout(struct cxl_mem *cxlm,
260 struct mbox_cmd *mbox_cmd)
262 struct device *dev = &cxlm->pdev->dev;
264 dev_dbg(dev, "Mailbox command (opcode: %#x size: %zub) timed out\n",
265 mbox_cmd->opcode, mbox_cmd->size_in);
269 * __cxl_mem_mbox_send_cmd() - Execute a mailbox command
270 * @cxlm: The CXL memory device to communicate with.
271 * @mbox_cmd: Command to send to the memory device.
273 * Context: Any context. Expects mbox_mutex to be held.
274 * Return: -ETIMEDOUT if timeout occurred waiting for completion. 0 on success.
275 * Caller should check the return code in @mbox_cmd to make sure it
278 * This is a generic form of the CXL mailbox send command thus only using the
279 * registers defined by the mailbox capability ID - CXL 2.0 8.2.8.4. Memory
280 * devices, and perhaps other types of CXL devices may have further information
281 * available upon error conditions. Driver facilities wishing to send mailbox
282 * commands should use the wrapper command.
284 * The CXL spec allows for up to two mailboxes. The intention is for the primary
285 * mailbox to be OS controlled and the secondary mailbox to be used by system
286 * firmware. This allows the OS and firmware to communicate with the device and
287 * not need to coordinate with each other. The driver only uses the primary
290 static int __cxl_mem_mbox_send_cmd(struct cxl_mem *cxlm,
291 struct mbox_cmd *mbox_cmd)
293 void __iomem *payload = cxlm->regs.mbox + CXLDEV_MBOX_PAYLOAD_OFFSET;
294 u64 cmd_reg, status_reg;
298 lockdep_assert_held(&cxlm->mbox_mutex);
301 * Here are the steps from 8.2.8.4 of the CXL 2.0 spec.
302 * 1. Caller reads MB Control Register to verify doorbell is clear
303 * 2. Caller writes Command Register
304 * 3. Caller writes Command Payload Registers if input payload is non-empty
305 * 4. Caller writes MB Control Register to set doorbell
306 * 5. Caller either polls for doorbell to be clear or waits for interrupt if configured
307 * 6. Caller reads MB Status Register to fetch Return code
308 * 7. If command successful, Caller reads Command Register to get Payload Length
309 * 8. If output payload is non-empty, host reads Command Payload Registers
311 * Hardware is free to do whatever it wants before the doorbell is rung,
312 * and isn't allowed to change anything after it clears the doorbell. As
313 * such, steps 2 and 3 can happen in any order, and steps 6, 7, 8 can
314 * also happen in any order (though some orders might not make sense).
318 if (cxl_doorbell_busy(cxlm)) {
319 dev_err_ratelimited(&cxlm->pdev->dev,
320 "Mailbox re-busy after acquiring\n");
324 cmd_reg = FIELD_PREP(CXLDEV_MBOX_CMD_COMMAND_OPCODE_MASK,
326 if (mbox_cmd->size_in) {
327 if (WARN_ON(!mbox_cmd->payload_in))
330 cmd_reg |= FIELD_PREP(CXLDEV_MBOX_CMD_PAYLOAD_LENGTH_MASK,
332 memcpy_toio(payload, mbox_cmd->payload_in, mbox_cmd->size_in);
336 writeq(cmd_reg, cxlm->regs.mbox + CXLDEV_MBOX_CMD_OFFSET);
339 dev_dbg(&cxlm->pdev->dev, "Sending command\n");
340 writel(CXLDEV_MBOX_CTRL_DOORBELL,
341 cxlm->regs.mbox + CXLDEV_MBOX_CTRL_OFFSET);
344 rc = cxl_mem_wait_for_doorbell(cxlm);
345 if (rc == -ETIMEDOUT) {
346 cxl_mem_mbox_timeout(cxlm, mbox_cmd);
351 status_reg = readq(cxlm->regs.mbox + CXLDEV_MBOX_STATUS_OFFSET);
352 mbox_cmd->return_code =
353 FIELD_GET(CXLDEV_MBOX_STATUS_RET_CODE_MASK, status_reg);
355 if (mbox_cmd->return_code != 0) {
356 dev_dbg(&cxlm->pdev->dev, "Mailbox operation had an error\n");
361 cmd_reg = readq(cxlm->regs.mbox + CXLDEV_MBOX_CMD_OFFSET);
362 out_len = FIELD_GET(CXLDEV_MBOX_CMD_PAYLOAD_LENGTH_MASK, cmd_reg);
365 if (out_len && mbox_cmd->payload_out) {
367 * Sanitize the copy. If hardware misbehaves, out_len per the
368 * spec can actually be greater than the max allowed size (21
369 * bits available but spec defined 1M max). The caller also may
370 * have requested less data than the hardware supplied even
373 size_t n = min3(mbox_cmd->size_out, cxlm->payload_size, out_len);
375 memcpy_fromio(mbox_cmd->payload_out, payload, n);
376 mbox_cmd->size_out = n;
378 mbox_cmd->size_out = 0;
385 * cxl_mem_mbox_get() - Acquire exclusive access to the mailbox.
386 * @cxlm: The memory device to gain access to.
388 * Context: Any context. Takes the mbox_mutex.
389 * Return: 0 if exclusive access was acquired.
391 static int cxl_mem_mbox_get(struct cxl_mem *cxlm)
393 struct device *dev = &cxlm->pdev->dev;
397 mutex_lock_io(&cxlm->mbox_mutex);
400 * XXX: There is some amount of ambiguity in the 2.0 version of the spec
401 * around the mailbox interface ready (8.2.8.5.1.1). The purpose of the
402 * bit is to allow firmware running on the device to notify the driver
403 * that it's ready to receive commands. It is unclear if the bit needs
404 * to be read for each transaction mailbox, ie. the firmware can switch
405 * it on and off as needed. Second, there is no defined timeout for
406 * mailbox ready, like there is for the doorbell interface.
409 * 1. The firmware might toggle the Mailbox Interface Ready bit, check
410 * it for every command.
412 * 2. If the doorbell is clear, the firmware should have first set the
413 * Mailbox Interface Ready bit. Therefore, waiting for the doorbell
414 * to be ready is sufficient.
416 rc = cxl_mem_wait_for_doorbell(cxlm);
418 dev_warn(dev, "Mailbox interface not ready\n");
422 md_status = readq(cxlm->regs.memdev + CXLMDEV_STATUS_OFFSET);
423 if (!(md_status & CXLMDEV_MBOX_IF_READY && CXLMDEV_READY(md_status))) {
424 dev_err(dev, "mbox: reported doorbell ready, but not mbox ready\n");
430 * Hardware shouldn't allow a ready status but also have failure bits
431 * set. Spit out an error, this should be a bug report
434 if (md_status & CXLMDEV_DEV_FATAL) {
435 dev_err(dev, "mbox: reported ready, but fatal\n");
438 if (md_status & CXLMDEV_FW_HALT) {
439 dev_err(dev, "mbox: reported ready, but halted\n");
442 if (CXLMDEV_RESET_NEEDED(md_status)) {
443 dev_err(dev, "mbox: reported ready, but reset needed\n");
451 mutex_unlock(&cxlm->mbox_mutex);
456 * cxl_mem_mbox_put() - Release exclusive access to the mailbox.
457 * @cxlm: The CXL memory device to communicate with.
459 * Context: Any context. Expects mbox_mutex to be held.
461 static void cxl_mem_mbox_put(struct cxl_mem *cxlm)
463 mutex_unlock(&cxlm->mbox_mutex);
467 * handle_mailbox_cmd_from_user() - Dispatch a mailbox command for userspace.
468 * @cxlm: The CXL memory device to communicate with.
469 * @cmd: The validated command.
470 * @in_payload: Pointer to userspace's input payload.
471 * @out_payload: Pointer to userspace's output payload.
472 * @size_out: (Input) Max payload size to copy out.
473 * (Output) Payload size hardware generated.
474 * @retval: Hardware generated return code from the operation.
477 * * %0 - Mailbox transaction succeeded. This implies the mailbox
478 * protocol completed successfully not that the operation itself
480 * * %-ENOMEM - Couldn't allocate a bounce buffer.
481 * * %-EFAULT - Something happened with copy_to/from_user.
482 * * %-EINTR - Mailbox acquisition interrupted.
483 * * %-EXXX - Transaction level failures.
485 * Creates the appropriate mailbox command and dispatches it on behalf of a
486 * userspace request. The input and output payloads are copied between
489 * See cxl_send_cmd().
491 static int handle_mailbox_cmd_from_user(struct cxl_mem *cxlm,
492 const struct cxl_mem_command *cmd,
493 u64 in_payload, u64 out_payload,
494 s32 *size_out, u32 *retval)
496 struct device *dev = &cxlm->pdev->dev;
497 struct mbox_cmd mbox_cmd = {
498 .opcode = cmd->opcode,
499 .size_in = cmd->info.size_in,
500 .size_out = cmd->info.size_out,
504 if (cmd->info.size_out) {
505 mbox_cmd.payload_out = kvzalloc(cmd->info.size_out, GFP_KERNEL);
506 if (!mbox_cmd.payload_out)
510 if (cmd->info.size_in) {
511 mbox_cmd.payload_in = vmemdup_user(u64_to_user_ptr(in_payload),
513 if (IS_ERR(mbox_cmd.payload_in)) {
514 kvfree(mbox_cmd.payload_out);
515 return PTR_ERR(mbox_cmd.payload_in);
519 rc = cxl_mem_mbox_get(cxlm);
524 "Submitting %s command for user\n"
527 cxl_command_names[cmd->info.id].name, mbox_cmd.opcode,
530 dev_WARN_ONCE(dev, cmd->info.id == CXL_MEM_COMMAND_ID_RAW,
531 "raw command path used\n");
533 rc = __cxl_mem_mbox_send_cmd(cxlm, &mbox_cmd);
534 cxl_mem_mbox_put(cxlm);
539 * @size_out contains the max size that's allowed to be written back out
540 * to userspace. While the payload may have written more output than
541 * this it will have to be ignored.
543 if (mbox_cmd.size_out) {
544 dev_WARN_ONCE(dev, mbox_cmd.size_out > *size_out,
545 "Invalid return size\n");
546 if (copy_to_user(u64_to_user_ptr(out_payload),
547 mbox_cmd.payload_out, mbox_cmd.size_out)) {
553 *size_out = mbox_cmd.size_out;
554 *retval = mbox_cmd.return_code;
557 kvfree(mbox_cmd.payload_in);
558 kvfree(mbox_cmd.payload_out);
562 static bool cxl_mem_raw_command_allowed(u16 opcode)
566 if (!IS_ENABLED(CONFIG_CXL_MEM_RAW_COMMANDS))
569 if (security_locked_down(LOCKDOWN_NONE))
572 if (cxl_raw_allow_all)
575 if (cxl_is_security_command(opcode))
578 for (i = 0; i < ARRAY_SIZE(cxl_disabled_raw_commands); i++)
579 if (cxl_disabled_raw_commands[i] == opcode)
586 * cxl_validate_cmd_from_user() - Check fields for CXL_MEM_SEND_COMMAND.
587 * @cxlm: &struct cxl_mem device whose mailbox will be used.
588 * @send_cmd: &struct cxl_send_command copied in from userspace.
589 * @out_cmd: Sanitized and populated &struct cxl_mem_command.
592 * * %0 - @out_cmd is ready to send.
593 * * %-ENOTTY - Invalid command specified.
594 * * %-EINVAL - Reserved fields or invalid values were used.
595 * * %-ENOMEM - Input or output buffer wasn't sized properly.
596 * * %-EPERM - Attempted to use a protected command.
598 * The result of this command is a fully validated command in @out_cmd that is
599 * safe to send to the hardware.
601 * See handle_mailbox_cmd_from_user()
603 static int cxl_validate_cmd_from_user(struct cxl_mem *cxlm,
604 const struct cxl_send_command *send_cmd,
605 struct cxl_mem_command *out_cmd)
607 const struct cxl_command_info *info;
608 struct cxl_mem_command *c;
610 if (send_cmd->id == 0 || send_cmd->id >= CXL_MEM_COMMAND_ID_MAX)
614 * The user can never specify an input payload larger than what hardware
615 * supports, but output can be arbitrarily large (simply write out as
616 * much data as the hardware provides).
618 if (send_cmd->in.size > cxlm->payload_size)
622 * Checks are bypassed for raw commands but a WARN/taint will occur
623 * later in the callchain
625 if (send_cmd->id == CXL_MEM_COMMAND_ID_RAW) {
626 const struct cxl_mem_command temp = {
628 .id = CXL_MEM_COMMAND_ID_RAW,
630 .size_in = send_cmd->in.size,
631 .size_out = send_cmd->out.size,
633 .opcode = send_cmd->raw.opcode
636 if (send_cmd->raw.rsvd)
640 * Unlike supported commands, the output size of RAW commands
641 * gets passed along without further checking, so it must be
644 if (send_cmd->out.size > cxlm->payload_size)
647 if (!cxl_mem_raw_command_allowed(send_cmd->raw.opcode))
650 memcpy(out_cmd, &temp, sizeof(temp));
655 if (send_cmd->flags & ~CXL_MEM_COMMAND_FLAG_MASK)
661 if (send_cmd->in.rsvd || send_cmd->out.rsvd)
664 /* Convert user's command into the internal representation */
665 c = &mem_commands[send_cmd->id];
668 /* Check that the command is enabled for hardware */
669 if (!test_bit(info->id, cxlm->enabled_cmds))
672 /* Check the input buffer is the expected size */
673 if (info->size_in >= 0 && info->size_in != send_cmd->in.size)
676 /* Check the output buffer is at least large enough */
677 if (info->size_out >= 0 && send_cmd->out.size < info->size_out)
680 memcpy(out_cmd, c, sizeof(*c));
681 out_cmd->info.size_in = send_cmd->in.size;
683 * XXX: out_cmd->info.size_out will be controlled by the driver, and the
684 * specified number of bytes @send_cmd->out.size will be copied back out
691 static int cxl_query_cmd(struct cxl_memdev *cxlmd,
692 struct cxl_mem_query_commands __user *q)
694 struct device *dev = &cxlmd->dev;
695 struct cxl_mem_command *cmd;
699 dev_dbg(dev, "Query IOCTL\n");
701 if (get_user(n_commands, &q->n_commands))
704 /* returns the total number if 0 elements are requested. */
706 return put_user(cxl_cmd_count, &q->n_commands);
709 * otherwise, return max(n_commands, total commands) cxl_command_info
712 cxl_for_each_cmd(cmd) {
713 const struct cxl_command_info *info = &cmd->info;
715 if (copy_to_user(&q->commands[j++], info, sizeof(*info)))
725 static int cxl_send_cmd(struct cxl_memdev *cxlmd,
726 struct cxl_send_command __user *s)
728 struct cxl_mem *cxlm = cxlmd->cxlm;
729 struct device *dev = &cxlmd->dev;
730 struct cxl_send_command send;
731 struct cxl_mem_command c;
734 dev_dbg(dev, "Send IOCTL\n");
736 if (copy_from_user(&send, s, sizeof(send)))
739 rc = cxl_validate_cmd_from_user(cxlmd->cxlm, &send, &c);
743 /* Prepare to handle a full payload for variable sized output */
744 if (c.info.size_out < 0)
745 c.info.size_out = cxlm->payload_size;
747 rc = handle_mailbox_cmd_from_user(cxlm, &c, send.in.payload,
748 send.out.payload, &send.out.size,
753 if (copy_to_user(s, &send, sizeof(send)))
759 static long __cxl_memdev_ioctl(struct cxl_memdev *cxlmd, unsigned int cmd,
763 case CXL_MEM_QUERY_COMMANDS:
764 return cxl_query_cmd(cxlmd, (void __user *)arg);
765 case CXL_MEM_SEND_COMMAND:
766 return cxl_send_cmd(cxlmd, (void __user *)arg);
772 static long cxl_memdev_ioctl(struct file *file, unsigned int cmd,
775 struct cxl_memdev *cxlmd = file->private_data;
778 down_read(&cxl_memdev_rwsem);
780 rc = __cxl_memdev_ioctl(cxlmd, cmd, arg);
781 up_read(&cxl_memdev_rwsem);
786 static int cxl_memdev_open(struct inode *inode, struct file *file)
788 struct cxl_memdev *cxlmd =
789 container_of(inode->i_cdev, typeof(*cxlmd), cdev);
791 get_device(&cxlmd->dev);
792 file->private_data = cxlmd;
797 static int cxl_memdev_release_file(struct inode *inode, struct file *file)
799 struct cxl_memdev *cxlmd =
800 container_of(inode->i_cdev, typeof(*cxlmd), cdev);
802 put_device(&cxlmd->dev);
807 static void cxl_memdev_shutdown(struct device *dev)
809 struct cxl_memdev *cxlmd = to_cxl_memdev(dev);
811 down_write(&cxl_memdev_rwsem);
813 up_write(&cxl_memdev_rwsem);
816 static const struct cdevm_file_operations cxl_memdev_fops = {
818 .owner = THIS_MODULE,
819 .unlocked_ioctl = cxl_memdev_ioctl,
820 .open = cxl_memdev_open,
821 .release = cxl_memdev_release_file,
822 .compat_ioctl = compat_ptr_ioctl,
823 .llseek = noop_llseek,
825 .shutdown = cxl_memdev_shutdown,
828 static inline struct cxl_mem_command *cxl_mem_find_command(u16 opcode)
830 struct cxl_mem_command *c;
833 if (c->opcode == opcode)
840 * cxl_mem_mbox_send_cmd() - Send a mailbox command to a memory device.
841 * @cxlm: The CXL memory device to communicate with.
842 * @opcode: Opcode for the mailbox command.
843 * @in: The input payload for the mailbox command.
844 * @in_size: The length of the input payload
845 * @out: Caller allocated buffer for the output.
846 * @out_size: Expected size of output.
848 * Context: Any context. Will acquire and release mbox_mutex.
850 * * %>=0 - Number of bytes returned in @out.
851 * * %-E2BIG - Payload is too large for hardware.
852 * * %-EBUSY - Couldn't acquire exclusive mailbox access.
853 * * %-EFAULT - Hardware error occurred.
854 * * %-ENXIO - Command completed, but device reported an error.
855 * * %-EIO - Unexpected output size.
857 * Mailbox commands may execute successfully yet the device itself reported an
858 * error. While this distinction can be useful for commands from userspace, the
859 * kernel will only be able to use results when both are successful.
861 * See __cxl_mem_mbox_send_cmd()
863 static int cxl_mem_mbox_send_cmd(struct cxl_mem *cxlm, u16 opcode,
864 void *in, size_t in_size,
865 void *out, size_t out_size)
867 const struct cxl_mem_command *cmd = cxl_mem_find_command(opcode);
868 struct mbox_cmd mbox_cmd = {
872 .size_out = out_size,
877 if (out_size > cxlm->payload_size)
880 rc = cxl_mem_mbox_get(cxlm);
884 rc = __cxl_mem_mbox_send_cmd(cxlm, &mbox_cmd);
885 cxl_mem_mbox_put(cxlm);
889 /* TODO: Map return code to proper kernel style errno */
890 if (mbox_cmd.return_code != CXL_MBOX_SUCCESS)
894 * Variable sized commands can't be validated and so it's up to the
895 * caller to do that if they wish.
897 if (cmd->info.size_out >= 0 && mbox_cmd.size_out != out_size)
903 static int cxl_mem_setup_mailbox(struct cxl_mem *cxlm)
905 const int cap = readl(cxlm->regs.mbox + CXLDEV_MBOX_CAPS_OFFSET);
908 1 << FIELD_GET(CXLDEV_MBOX_CAP_PAYLOAD_SIZE_MASK, cap);
911 * CXL 2.0 8.2.8.4.3 Mailbox Capabilities Register
913 * If the size is too small, mandatory commands will not work and so
914 * there's no point in going forward. If the size is too large, there's
915 * no harm is soft limiting it.
917 cxlm->payload_size = min_t(size_t, cxlm->payload_size, SZ_1M);
918 if (cxlm->payload_size < 256) {
919 dev_err(&cxlm->pdev->dev, "Mailbox is too small (%zub)",
924 dev_dbg(&cxlm->pdev->dev, "Mailbox payload sized %zu",
930 static struct cxl_mem *cxl_mem_create(struct pci_dev *pdev)
932 struct device *dev = &pdev->dev;
933 struct cxl_mem *cxlm;
935 cxlm = devm_kzalloc(dev, sizeof(*cxlm), GFP_KERNEL);
937 dev_err(dev, "No memory available\n");
938 return ERR_PTR(-ENOMEM);
941 mutex_init(&cxlm->mbox_mutex);
944 devm_kmalloc_array(dev, BITS_TO_LONGS(cxl_cmd_count),
945 sizeof(unsigned long),
946 GFP_KERNEL | __GFP_ZERO);
947 if (!cxlm->enabled_cmds) {
948 dev_err(dev, "No memory available for bitmap\n");
949 return ERR_PTR(-ENOMEM);
955 static void __iomem *cxl_mem_map_regblock(struct cxl_mem *cxlm,
958 struct pci_dev *pdev = cxlm->pdev;
959 struct device *dev = &pdev->dev;
962 /* Basic sanity check that BAR is big enough */
963 if (pci_resource_len(pdev, bar) < offset) {
964 dev_err(dev, "BAR%d: %pr: too small (offset: %#llx)\n", bar,
965 &pdev->resource[bar], (unsigned long long)offset);
966 return IOMEM_ERR_PTR(-ENXIO);
969 addr = pci_iomap(pdev, bar, 0);
971 dev_err(dev, "failed to map registers\n");
975 dev_dbg(dev, "Mapped CXL Memory Device resource bar %u @ %#llx\n",
981 static void cxl_mem_unmap_regblock(struct cxl_mem *cxlm, void __iomem *base)
983 pci_iounmap(cxlm->pdev, base);
986 static int cxl_mem_dvsec(struct pci_dev *pdev, int dvsec)
990 pos = pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_DVSEC);
997 pci_read_config_word(pdev, pos + PCI_DVSEC_HEADER1, &vendor);
998 pci_read_config_word(pdev, pos + PCI_DVSEC_HEADER2, &id);
999 if (vendor == PCI_DVSEC_VENDOR_ID_CXL && dvsec == id)
1002 pos = pci_find_next_ext_capability(pdev, pos,
1003 PCI_EXT_CAP_ID_DVSEC);
1009 static int cxl_probe_regs(struct cxl_mem *cxlm, void __iomem *base,
1010 struct cxl_register_map *map)
1012 struct pci_dev *pdev = cxlm->pdev;
1013 struct device *dev = &pdev->dev;
1014 struct cxl_component_reg_map *comp_map;
1015 struct cxl_device_reg_map *dev_map;
1017 switch (map->reg_type) {
1018 case CXL_REGLOC_RBI_COMPONENT:
1019 comp_map = &map->component_map;
1020 cxl_probe_component_regs(dev, base, comp_map);
1021 if (!comp_map->hdm_decoder.valid) {
1022 dev_err(dev, "HDM decoder registers not found\n");
1026 dev_dbg(dev, "Set up component registers\n");
1028 case CXL_REGLOC_RBI_MEMDEV:
1029 dev_map = &map->device_map;
1030 cxl_probe_device_regs(dev, base, dev_map);
1031 if (!dev_map->status.valid || !dev_map->mbox.valid ||
1032 !dev_map->memdev.valid) {
1033 dev_err(dev, "registers not found: %s%s%s\n",
1034 !dev_map->status.valid ? "status " : "",
1035 !dev_map->mbox.valid ? "status " : "",
1036 !dev_map->memdev.valid ? "status " : "");
1040 dev_dbg(dev, "Probing device registers...\n");
1049 static int cxl_map_regs(struct cxl_mem *cxlm, struct cxl_register_map *map)
1051 struct pci_dev *pdev = cxlm->pdev;
1052 struct device *dev = &pdev->dev;
1054 switch (map->reg_type) {
1055 case CXL_REGLOC_RBI_COMPONENT:
1056 cxl_map_component_regs(pdev, &cxlm->regs.component, map);
1057 dev_dbg(dev, "Mapping component registers...\n");
1059 case CXL_REGLOC_RBI_MEMDEV:
1060 cxl_map_device_regs(pdev, &cxlm->regs.device_regs, map);
1061 dev_dbg(dev, "Probing device registers...\n");
1070 static void cxl_decode_register_block(u32 reg_lo, u32 reg_hi,
1071 u8 *bar, u64 *offset, u8 *reg_type)
1073 *offset = ((u64)reg_hi << 32) | (reg_lo & CXL_REGLOC_ADDR_MASK);
1074 *bar = FIELD_GET(CXL_REGLOC_BIR_MASK, reg_lo);
1075 *reg_type = FIELD_GET(CXL_REGLOC_RBI_MASK, reg_lo);
1079 * cxl_mem_setup_regs() - Setup necessary MMIO.
1080 * @cxlm: The CXL memory device to communicate with.
1082 * Return: 0 if all necessary registers mapped.
1084 * A memory device is required by spec to implement a certain set of MMIO
1085 * regions. The purpose of this function is to enumerate and map those
1088 static int cxl_mem_setup_regs(struct cxl_mem *cxlm)
1090 struct pci_dev *pdev = cxlm->pdev;
1091 struct device *dev = &pdev->dev;
1092 u32 regloc_size, regblocks;
1095 struct cxl_register_map *map, *n;
1096 LIST_HEAD(register_maps);
1099 regloc = cxl_mem_dvsec(pdev, PCI_DVSEC_ID_CXL_REGLOC_DVSEC_ID);
1101 dev_err(dev, "register location dvsec not found\n");
1105 if (pci_request_mem_regions(pdev, pci_name(pdev)))
1108 /* Get the size of the Register Locator DVSEC */
1109 pci_read_config_dword(pdev, regloc + PCI_DVSEC_HEADER1, ®loc_size);
1110 regloc_size = FIELD_GET(PCI_DVSEC_HEADER1_LENGTH_MASK, regloc_size);
1112 regloc += PCI_DVSEC_ID_CXL_REGLOC_BLOCK1_OFFSET;
1113 regblocks = (regloc_size - PCI_DVSEC_ID_CXL_REGLOC_BLOCK1_OFFSET) / 8;
1115 for (i = 0; i < regblocks; i++, regloc += 8) {
1121 pci_read_config_dword(pdev, regloc, ®_lo);
1122 pci_read_config_dword(pdev, regloc + 4, ®_hi);
1124 cxl_decode_register_block(reg_lo, reg_hi, &bar, &offset,
1127 dev_dbg(dev, "Found register block in bar %u @ 0x%llx of type %u\n",
1128 bar, offset, reg_type);
1130 /* Ignore unknown register block types */
1131 if (reg_type > CXL_REGLOC_RBI_MEMDEV)
1134 map = kzalloc(sizeof(*map), GFP_KERNEL);
1140 list_add(&map->list, ®ister_maps);
1142 base = cxl_mem_map_regblock(cxlm, bar, offset);
1149 map->block_offset = offset;
1150 map->reg_type = reg_type;
1152 ret = cxl_probe_regs(cxlm, base + offset, map);
1154 /* Always unmap the regblock regardless of probe success */
1155 cxl_mem_unmap_regblock(cxlm, base);
1161 pci_release_mem_regions(pdev);
1163 list_for_each_entry(map, ®ister_maps, list) {
1164 ret = cxl_map_regs(cxlm, map);
1170 list_for_each_entry_safe(map, n, ®ister_maps, list) {
1171 list_del(&map->list);
1178 static int cxl_xfer_log(struct cxl_mem *cxlm, uuid_t *uuid, u32 size, u8 *out)
1180 u32 remaining = size;
1184 u32 xfer_size = min_t(u32, remaining, cxlm->payload_size);
1185 struct cxl_mbox_get_log {
1191 .offset = cpu_to_le32(offset),
1192 .length = cpu_to_le32(xfer_size)
1196 rc = cxl_mem_mbox_send_cmd(cxlm, CXL_MBOX_OP_GET_LOG, &log,
1197 sizeof(log), out, xfer_size);
1202 remaining -= xfer_size;
1203 offset += xfer_size;
1210 * cxl_walk_cel() - Walk through the Command Effects Log.
1212 * @size: Length of the Command Effects Log.
1215 * Iterate over each entry in the CEL and determine if the driver supports the
1216 * command. If so, the command is enabled for the device and can be used later.
1218 static void cxl_walk_cel(struct cxl_mem *cxlm, size_t size, u8 *cel)
1223 } __packed * cel_entry;
1224 const int cel_entries = size / sizeof(*cel_entry);
1227 cel_entry = (struct cel_entry *)cel;
1229 for (i = 0; i < cel_entries; i++) {
1230 u16 opcode = le16_to_cpu(cel_entry[i].opcode);
1231 struct cxl_mem_command *cmd = cxl_mem_find_command(opcode);
1234 dev_dbg(&cxlm->pdev->dev,
1235 "Opcode 0x%04x unsupported by driver", opcode);
1239 set_bit(cmd->info.id, cxlm->enabled_cmds);
1243 struct cxl_mbox_get_supported_logs {
1252 static struct cxl_mbox_get_supported_logs *cxl_get_gsl(struct cxl_mem *cxlm)
1254 struct cxl_mbox_get_supported_logs *ret;
1257 ret = kvmalloc(cxlm->payload_size, GFP_KERNEL);
1259 return ERR_PTR(-ENOMEM);
1261 rc = cxl_mem_mbox_send_cmd(cxlm, CXL_MBOX_OP_GET_SUPPORTED_LOGS, NULL,
1262 0, ret, cxlm->payload_size);
1272 * cxl_mem_enumerate_cmds() - Enumerate commands for a device.
1273 * @cxlm: The device.
1275 * Returns 0 if enumerate completed successfully.
1277 * CXL devices have optional support for certain commands. This function will
1278 * determine the set of supported commands for the hardware and update the
1279 * enabled_cmds bitmap in the @cxlm.
1281 static int cxl_mem_enumerate_cmds(struct cxl_mem *cxlm)
1283 struct cxl_mbox_get_supported_logs *gsl;
1284 struct device *dev = &cxlm->pdev->dev;
1285 struct cxl_mem_command *cmd;
1288 gsl = cxl_get_gsl(cxlm);
1290 return PTR_ERR(gsl);
1293 for (i = 0; i < le16_to_cpu(gsl->entries); i++) {
1294 u32 size = le32_to_cpu(gsl->entry[i].size);
1295 uuid_t uuid = gsl->entry[i].uuid;
1298 dev_dbg(dev, "Found LOG type %pU of size %d", &uuid, size);
1300 if (!uuid_equal(&uuid, &log_uuid[CEL_UUID]))
1303 log = kvmalloc(size, GFP_KERNEL);
1309 rc = cxl_xfer_log(cxlm, &uuid, size, log);
1315 cxl_walk_cel(cxlm, size, log);
1318 /* In case CEL was bogus, enable some default commands. */
1319 cxl_for_each_cmd(cmd)
1320 if (cmd->flags & CXL_CMD_FLAG_FORCE_ENABLE)
1321 set_bit(cmd->info.id, cxlm->enabled_cmds);
1323 /* Found the required CEL */
1333 * cxl_mem_identify() - Send the IDENTIFY command to the device.
1334 * @cxlm: The device to identify.
1336 * Return: 0 if identify was executed successfully.
1338 * This will dispatch the identify command to the device and on success populate
1339 * structures to be exported to sysfs.
1341 static int cxl_mem_identify(struct cxl_mem *cxlm)
1343 /* See CXL 2.0 Table 175 Identify Memory Device Output Payload */
1344 struct cxl_mbox_identify {
1345 char fw_revision[0x10];
1346 __le64 total_capacity;
1347 __le64 volatile_capacity;
1348 __le64 persistent_capacity;
1349 __le64 partition_align;
1350 __le16 info_event_log_size;
1351 __le16 warning_event_log_size;
1352 __le16 failure_event_log_size;
1353 __le16 fatal_event_log_size;
1355 u8 poison_list_max_mer[3];
1356 __le16 inject_poison_limit;
1358 u8 qos_telemetry_caps;
1362 rc = cxl_mem_mbox_send_cmd(cxlm, CXL_MBOX_OP_IDENTIFY, NULL, 0, &id,
1368 * TODO: enumerate DPA map, as 'ram' and 'pmem' do not alias.
1369 * For now, only the capacity is exported in sysfs
1371 cxlm->ram_range.start = 0;
1372 cxlm->ram_range.end = le64_to_cpu(id.volatile_capacity) * SZ_256M - 1;
1374 cxlm->pmem_range.start = 0;
1375 cxlm->pmem_range.end =
1376 le64_to_cpu(id.persistent_capacity) * SZ_256M - 1;
1378 cxlm->lsa_size = le32_to_cpu(id.lsa_size);
1379 memcpy(cxlm->firmware_version, id.fw_revision, sizeof(id.fw_revision));
1384 static int cxl_mem_probe(struct pci_dev *pdev, const struct pci_device_id *id)
1386 struct cxl_memdev *cxlmd;
1387 struct cxl_mem *cxlm;
1390 rc = pcim_enable_device(pdev);
1394 cxlm = cxl_mem_create(pdev);
1396 return PTR_ERR(cxlm);
1398 rc = cxl_mem_setup_regs(cxlm);
1402 rc = cxl_mem_setup_mailbox(cxlm);
1406 rc = cxl_mem_enumerate_cmds(cxlm);
1410 rc = cxl_mem_identify(cxlm);
1414 cxlmd = devm_cxl_add_memdev(&pdev->dev, cxlm, &cxl_memdev_fops);
1416 return PTR_ERR(cxlmd);
1418 if (range_len(&cxlm->pmem_range) && IS_ENABLED(CONFIG_CXL_PMEM))
1419 rc = devm_cxl_add_nvdimm(&pdev->dev, cxlmd);
1424 static const struct pci_device_id cxl_mem_pci_tbl[] = {
1425 /* PCI class code for CXL.mem Type-3 Devices */
1426 { PCI_DEVICE_CLASS((PCI_CLASS_MEMORY_CXL << 8 | CXL_MEMORY_PROGIF), ~0)},
1427 { /* terminate list */ },
1429 MODULE_DEVICE_TABLE(pci, cxl_mem_pci_tbl);
1431 static struct pci_driver cxl_mem_driver = {
1432 .name = KBUILD_MODNAME,
1433 .id_table = cxl_mem_pci_tbl,
1434 .probe = cxl_mem_probe,
1436 .probe_type = PROBE_PREFER_ASYNCHRONOUS,
1440 static __init int cxl_mem_init(void)
1442 struct dentry *mbox_debugfs;
1445 /* Double check the anonymous union trickery in struct cxl_regs */
1446 BUILD_BUG_ON(offsetof(struct cxl_regs, memdev) !=
1447 offsetof(struct cxl_regs, device_regs.memdev));
1449 rc = pci_register_driver(&cxl_mem_driver);
1453 cxl_debugfs = debugfs_create_dir("cxl", NULL);
1454 mbox_debugfs = debugfs_create_dir("mbox", cxl_debugfs);
1455 debugfs_create_bool("raw_allow_all", 0600, mbox_debugfs,
1456 &cxl_raw_allow_all);
1461 static __exit void cxl_mem_exit(void)
1463 debugfs_remove_recursive(cxl_debugfs);
1464 pci_unregister_driver(&cxl_mem_driver);
1467 MODULE_LICENSE("GPL v2");
1468 module_init(cxl_mem_init);
1469 module_exit(cxl_mem_exit);
1470 MODULE_IMPORT_NS(CXL);